6:44 p.m.
Hello group,
Just saw an interesting talk from Java Zone 2016 about
OWASP AppSensor which is a set of libraries that provide application level
intrusion detection.
The speaker (Dominik Schadow author of the german Book Java Web Security)
mentions
that having application level intrusion detection has the advantage of
taking application
context into account when assessing a user action compared to a web
application firewall that simply scans for "known" attack patterns.
I think this could be interesting for some public facing parts of Keycloak
(login, account, password-reset, consent, admin-console, REST endpoints
etc.)
AppSensor comes with a wide variety of predefined DetectionPoints.
These detection points can be used to identify a malicious user that is
probing for vulnerabilities or weaknesses:
https://www.owasp.org/index.php/AppSensor_DetectionPoints
This could be embedded into the Keycloak Event System by emitting
"IDS-Events"
that could then be analyzed by an EventListener which then performs
appropriate actions,
e.g. logging a user out, lock a user or block the account or even IP
address for a while.
https://www.owasp.org/index.php/OWASP_AppSensor_Project
http://www.appsensor.org/
Talk: The Web Application Strikes Back
https://2016.javazone.no/program/the-web-application-strikes-back
Example application: duke-encounters
https://github.com/dschadow/ApplicationIntrusionDetection
Cheers,
Thomas
6:52 a.m.
Looks quite interesting. Not sure the event system is the correct place as
it's really read-only so couldn't impact the login itself. Maybe an
authenticator would be a better place to implement it.
It could also be combined with having a risk level associated on users that
can then be viewed in the admin console (from the MS vid you shared the
other day).
On 11 September 2016 at 01:44, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
Hello group,
Just saw an interesting talk from Java Zone 2016 about
OWASP AppSensor which is a set of libraries that provide application level
intrusion detection.
The speaker (Dominik Schadow author of the german Book Java Web Security)
mentions
that having application level intrusion detection has the advantage of
taking application
context into account when assessing a user action compared to a web
application firewall that simply scans for "known" attack patterns.
I think this could be interesting for some public facing parts of Keycloak
(login, account, password-reset, consent, admin-console, REST endpoints
etc.)
AppSensor comes with a wide variety of predefined DetectionPoints.
These detection points can be used to identify a malicious user that is
probing for vulnerabilities or weaknesses:
https://www.owasp.org/index.php/AppSensor_DetectionPoints
This could be embedded into the Keycloak Event System by emitting
"IDS-Events"
that could then be analyzed by an EventListener which then performs
appropriate actions,
e.g. logging a user out, lock a user or block the account or even IP
address for a while.
https://www.owasp.org/index.php/OWASP_AppSensor_Project
http://www.appsensor.org/
Talk: The Web Application Strikes Back
https://2016.javazone.no/program/the-web-application-strikes-back
Example application: duke-encounters
https://github.com/dschadow/ApplicationIntrusionDetection
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7 a.m.
Added https://issues.jboss.org/browse/KEYCLOAK-3569
On 13 September 2016 at 13:52, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Looks quite interesting. Not sure the event system is the correct
place as
it's really read-only so couldn't impact the login itself. Maybe an
authenticator would be a better place to implement it.
It could also be combined with having a risk level associated on users
that can then be viewed in the admin console (from the MS vid you shared
the other day).
On 11 September 2016 at 01:44, Thomas Darimont <
thomas.darimont(a)googlemail.com> wrote:
> Hello group,
>
> Just saw an interesting talk from Java Zone 2016 about
> OWASP AppSensor which is a set of libraries that provide application
> level intrusion detection.
>
> The speaker (Dominik Schadow author of the german Book Java Web Security)
> mentions
> that having application level intrusion detection has the advantage of
> taking application
> context into account when assessing a user action compared to a web
> application firewall that simply scans for "known" attack patterns.
>
> I think this could be interesting for some public facing parts of
> Keycloak
> (login, account, password-reset, consent, admin-console, REST endpoints
> etc.)
>
> AppSensor comes with a wide variety of predefined DetectionPoints.
> These detection points can be used to identify a malicious user that is
> probing for vulnerabilities or weaknesses:
> https://www.owasp.org/index.php/AppSensor_DetectionPoints
>
> This could be embedded into the Keycloak Event System by emitting
> "IDS-Events"
> that could then be analyzed by an EventListener which then performs
> appropriate actions,
> e.g. logging a user out, lock a user or block the account or even IP
> address for a while.
>
> https://www.owasp.org/index.php/OWASP_AppSensor_Project
>
> http://www.appsensor.org/
>
> Talk: The Web Application Strikes Back
> https://2016.javazone.no/program/the-web-application-strikes-back
>
> Example application: duke-encounters
> https://github.com/dschadow/ApplicationIntrusionDetection
>
> Cheers,
> Thomas
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3026
days inactive
3029
days old
2 comments
2 participants
participants (2)
-
Stian Thorgersen -
Thomas Darimont